[Openswan Users] Tunnel with SA establshed but the tunnel doesn't tunnel!

Greg Scott GregScott at InfraSupportEtc.com
Sat Jul 22 20:01:10 CEST 2006

I must be missing something basic here.  I am trying to a simple tunnel
with 2 subnets.  Here is the scenario below.  Apologies if an emailer
somewhere along the line butchers the line wrapping. 

               Left Firewall  <-Internet--> Right Firewall  eth1       eth0             eth0             eth1

The left firewall and right firewall are running fc5 with the netkey
stack and kernel from kernel.org.  

When I watch /var/log/secure on both systems, I see a series of
messages, ending with messages like this:

Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xad5f74c3}

This tells me the SA is established between the subnets, so
communication between the two subnets should go over the tunnel.  But
that's not what happens.  When a host in either subnet tries to ping the
other side, tcpdump on the sending firewall tells me the packets route
in the clear out across the Internet.  I should see esp messages going
to/from the other subnet.  But instead, I see icmp echo request messages
coming from the sending subnet.  Yuck!

I must be missing a simple setup step but I don't see it.  

Here is ipsec.conf I am using, along with the included files and my conn
definition.  I like the way fc5 packages these config files, except that
it isn't working for me:

[root at lakeville-fw gregs]# 
[root at lakeville-fw gregs]# cd /etc
[root at lakeville-fw etc]# more ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# Manual:     ipsec.conf.5
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
        # klipsdebug=none
        # plutodebug="control parsing"

include /etc/ipsec.d/*.conf
[root at lakeville-fw etc]# 
[root at lakeville-fw etc]# 
[root at lakeville-fw etc]# 
[root at lakeville-fw etc]# ls /etc/ipsec.d
examples  hostkey.secrets  no_oe.conf  policies
[root at lakeville-fw etc]# 
[root at lakeville-fw etc]# 
[root at lakeville-fw etc]# more ipsec.d/no_oe.conf
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block 

conn private 

conn private-or-clear 

conn clear-or-private 

conn clear 

conn packetdefault 
[root at lakeville-fw etc]# 
[root at lakeville-fw etc]# 
[root at lakeville-fw etc]# more ipsec.d/Roseville-Lakeville.conf
# /etc/ipsec.d/Lakeville-Roseville.conf - IPsec configuration file for
this conn
# The HOME office in Lakeville is always on the right.  ("Make yerself
# while the other branch stores have LEFT home.)
# Openswan bundled with fc5 - see thee include directive from
#       Here are some useful commands:
#       /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
#       /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
#       /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
> rightkey.txt
#       Show this host's public key in a format suitable to insert into 
#       ipsec.conf.  This host can be either the left or right key.
#       /usr/sbin/ipsec auto --down london-farout
#       Brings down the tunnel named london-farout
#       /usr/sbin/ipsec auto --up london-farout
#       Brings up the tunnel named london-farount
#       /usr/local/sbin/ipsec look
#       To observe all kinds of stuff about the IPSEC tunnels
#       /usr/local/sbin/ipsec showhostkey > junk.tmp
#       Generates a DNS key record into the file junk.tmp for later 
#       insertion into a DNS zone file
#       These were some equivalent commands under prior versions of Open
#       /usr/sbin/ipsec showhostkey --left
#       /usr/sbin/ipsec showhostkey --right
#       /usr/sbin/ipsec showhostkey --left > junk.tmp

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

conn Roseville-Lakeville
        # RSA 2192 bits   roseville-fw   Thu Jul 20 18:47:26 2006
        # Right security gateway, subnet behind it, next hop toward
        # RSA 2192 bits   lakeville-fw   Wed Jul 19 21:09:32 2006

[root at lakeville-fw etc]# 

This is what ipsec verify tells me:

[root at lakeville-fw etc]# /usr/sbin/ipsec verify
Checking your system to see if IPsec got installed and started
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.17.2fw21 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
hostname: Unknown host
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                              
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support
[root at lakeville-fw etc]# 

It says the RSA private key failed - but it isn't really a failure
because of the way fc5 packages ipsec.secrets, like this:
[root at lakeville-fw etc]# 
[root at lakeville-fw etc]# more /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
[root at lakeville-fw etc]# 

And I know the RSA keys are good because I establish an SA.  I must be
missing a simple setup someplace - but what??

Thanks for any advice.  

- Greg Scott

More information about the Users mailing list